IP Multimedia Security

ABSTRACT

A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node. If a signalling plane key has not already been established, then an alternative media plane key is derived from said session key and sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

TECHNICAL FIELD

The invention relates to IP Multimedia security and in particular to amethod and apparatus for securing IP Multimedia user traffic in theaccess networks.

BACKGROUND

Internet Protocol (IP) Multimedia services provide a dynamic combinationof voice, video, messaging, data, etc. within the same session. Bygrowing the number of basic applications and the media which it ispossible to combine, the number of services offered to the end userswill grow, and the inter-personal communication experience will beenriched. This will lead to a new generation of personalised, richmultimedia communication services, including so-called “combinational IPMultimedia” services.

The UMTS (Universal Mobile Telecommunications System) is a thirdgeneration wireless system designed to provide higher data rates andenhanced services to subscribers. UMTS is a successor to the GlobalSystem for Mobile Communications (GSM), with an important evolutionarystep between GSM and UMTS being the General Packet Radio Service (GPRS).GPRS introduces packet switching into the GSM core network and allowsdirect access to packet data networks (PDNs). This enables high-datarate packet switched transmissions well beyond the 64 kbps limit of ISDNthrough the GSM call network, which is a necessity for UMTS datatransmission rates of up to 2 Mbps. UMTS is standardised by the 3rdGeneration Partnership Project (3GPP) which is a conglomeration ofregional standards bodies such as the European TelecommunicationStandards Institute (ETSI), the Association of Radio Industry Businesses(ARIB) and others. See 3GPP TS 23.002 for more details.

The so-called Long Term Evolution (LTE) is being developed as asuccessor to UMTS by 3GPP. It is hoped that LTE will increase data ratesgreatly, for example to 100 Mbps.

The 3G (UMTS/LTE) architectures includes a subsystem known as the IPMultimedia Subsystem (IMS) for supporting traditional telephony as wellas new IP multimedia services (3GPP TS 22.228, TS 23.228, TS 24.229, TS29.228, TS 29.229, TS 29.328 and TS 29.329 Releases 5 to 9). Securityfunctions for IMS are specified mainly in TS 33.203, but also in TS33.178. IMS provides key features to enrich the end-userperson-to-person communication experience through the use ofstandardised IMS Service Enablers, which facilitate new richperson-to-person (client-to-client) communication services as well asperson-to-content (client-to-server) services over IP-based networks.The IMS is able to connect to both PSTN/ISDN (Public Switched TelephoneNetwork/Integrated Services Digital Network) as well as the Internet.

The IMS makes use of the Session Initiation Protocol (SIP) to set up andcontrol calls or sessions between user terminals (or user terminals andapplication servers). The Session Description Protocol (SDP), carried bySIP signalling, is used to describe and negotiate the media componentsof the session. Whilst SIP was created as a user-to-user protocol, IMSallows operators and service providers to control user access toservices and to charge users accordingly. The 3GPP has chosen SIP forsignalling between a User Equipment (UE) and the IMS as well as betweenthe components within the IMS.

Whilst IMS has been established with UMTS/LTE access in mind, i.e. whereusers access the IMS services via UMTS cellular networks, IMS isintended to be used with a variety of access network technologiesincluding technologies defined outside 3GPP. As such, a user can connectto an IMS network in a number of different ways, all of which use theInternet Protocol (IP). Terminals implementing IMS clients (such asmobile phones, personal digital assistants, computers, and Home IMSGateways) can register directly on an IMS network, even when they areroaming in another network. The only requirement is that they can useIPv4/IPv6 and run Session Initiation Protocol (SIP) user agents. Fixedaccess (e.g., Digital Subscriber Line (DSL), cable modems, PON,Ethernet), mobile access (e.g. CDMA2000, GSM, GPRS, LTE) and wirelessaccess (e.g. WLAN, WiMAX) are all supported. Other phone systems likeplain old telephone service (POTS), H.323 and non IMS-compatible Voiceover IP (VoIP) systems, may be supported through gateways.

Considering security, IMS provides security for SIP signalling(subscriber authentication and SIP message integrity) built on ISIMbased AKA and IPSec as specified in TS 33.203. The 3GPP organisation iscurrently conducting a study to define a solution for IMS mediasecurity, see TR 33.828. Although there is currently no 3GPP standard tosecure media/user plane traffic (e.g. the VoIP traffic itself which istypically carried by Real-Time Transport Protocol (RTP)), in the casewhere an IMS user uses a mobile access network (e.g. 3GPP WCDMA or LTE),it can be assumed that IMS traffic sent across the access network isreasonably well secured by the underlying access network security (e.g.the air interface security of WCDMA). However, this is not the casewhere the access network is a public access network such as a WLAN orDSL network. The security of user authentication procedures may alsovary greatly between different access network types. For example, asdiscussed, strong ISIM based authentication may be used in 3GPP accessnetworks, but with only weak, password based (digest) authentication oreven “bundled” authentication (relying on Layer 2 authentication, TS33.178) being used in other access network types.

In order to provide security for IMS users with minimum impact on userterminals, it is proposed to implement an edge-to-access-edge (e2ae)media plane encryption solution. This is illustrated in FIG. 1 where anIMS session between two IMS users A and B is secured by encryptionbetween A and a first edge node EA (via an access router AR) and betweenB and a second edge node EB (via a cellular network comprising a BaseStation Transceiver BST). It is assumed that the media plane between EAand EB is secure as a result of the private nature of the operatornetwork(s). Such an e2ae solution is typically preferred over anend-to-end (e2e) solution, as an e2e solution would require someagreement between user terminals (and possibly access networks) as tokey negotiation mechanisms and would therefore be difficult, or evenimpossible, to implement in practice since A and B and/or theirrespective networks may not have interoperable security solutions. Afurther advantage of the e2ae approach is that an operator may easilyperform transcoding, rate adaptation, and/or lawful intercept on sessiondata, as the data is transported across its network without encryption(or at least in a form that can be decrypted by the operator).

The e2ae solution is often also preferred over an edge-to-middle (e2m)approach, in which user terminals establish a secure connection to acommon “middle-box” M, as such a solution requires that both ends haveaccess to such a middle-box and are able to communicate with it.

One possible e2ae solution is to employ the IETF protocol known asSession Description Protocol Security Descriptions for Media Streams(SDES), IETF RFC 4568.

In this approach, the end users (A and B) randomly select respectivekeys, KA and KB, and include them in the SIP call set-up signalling(e.g. INVITE, 200 OK). Rather than using the keys to establish e2e mediaplane security (with at least some of the ensuing disadvantages outlinedabove), certain Call Session Control Functions (CSCFs) within the IMS“snoop”, i.e. intercept and extract, these keys in the SIP messages anddistribute them to the respective edge-entities. Each edge-entity usesthe snooped key to secure data exchanged between it and the attached enduser (that is entity EA uses key KA to secure data with user A, andentity EB uses key KB to secure data with user B). Note that in practiceit may be desirable to use different keys when securing trafficoriginating at A (traffic from A to EA) and when securing trafficterminating at A (traffic forwarded by EA to A). However, as long as Aand EA have at least one shared key, KA, it will be easy for them toderive two (or more) keys from KA by application of a cryptographic keyderivation function. The same holds for B and EB of course. SDES is acandidate solution which is considered in the ongoing 3GPP study. Whilethis approach is generic, it has a major drawback in that the SIPsignalling itself may not be encrypted and hence the keys KA/KB areavailable in the clear to any third party as well. Therefore thissolution may utterly fail to provide security.

SUMMARY

It is an object of the invention to provide IP multimedia security bydetermining, within an IP multimedia network, whether or not arelatively strong security mechanism is available and, where it is, touse that mechanism to secure the user media plane.

According to a first aspect of the invention there is provided a methodof establishing keys for at least partially securing media plane dataexchanged between first and second end users via respective first andsecond media plane network nodes. The method comprises sending sessionset-up signalling from said first end point towards said second endpoint, said session set-up signalling including a session key generatedby said first end point. The set-up signalling is intercepted at a firstsignalling plane network node and a determination made as to whether ornot a signalling plane key has already been established for securing thesignalling plane between said first end point and said first signallingplane network node. If a signalling plane key has already beenestablished, then a media plane key is derived from that signallingplane key, and the media plane key sent to said first media planenetwork node for securing the media plane between said first end userand said first media plane network node. If a signalling plane key hasnot already been established, then an alternative media plane key isderived from said session key and sent to said first media plane networknode for securing the media plane between said first end user and saidfirst media plane network node. An example of said set-up signalling isa SIP INVITE message.

The first signalling plane network node may be a node within an IPMultimedia Subsystem network, in which case said signalling planenetwork node may be a Proxy Call State Control Function. The ofdetermining whether or not a signalling plane key has already beenestablished for securing the signalling plane between said first endpoint and said first signalling plane network node, may comprisedetermining whether or not an IP Multimedia Subsystem network AKAprocedure has been run between said first end point and the IPMultimedia Subsystem network.

Said session set-up signalling may contain an explicit indication ofwhether or not a signalling plane key has already been established.

In the case where a signalling plane key has already been established,said media key may be derived using both said signalling plane key andsaid session key.

In an embodiment of the invention, said session key may be generated andtransferred by said first end point in accordance with the SessionDescription Protocol Security Descriptions for Media Streams (SDES)protocol.

The method may comprise the steps of:

-   -   intercepting session set-up signalling at a second signalling        plane network node and determining whether or not a signalling        plane key has already been established for securing the        signalling plane between said second end point and said second        signalling plane network node; and    -   if a signalling plane key has already been established, then        deriving from that key a media plane key, and sending the media        plane key to said second media plane network node for securing        the media plane between said second end user and said second        media plane network node.

In this case, said second signalling plane network node may be a nodewithin an IP Multimedia Subsystem network. Said step of determiningwhether or not a signalling plane key has already been established forsecuring the signalling plane between said second end point and saidsecond signalling plane network node, may comprise determining whetheror not an IP Multimedia Subsystem network AKA procedure has been runbetween said second end point and the IP Multimedia Subsystem network.Said session set-up signalling intercepted at said second signallingplane network node may include a session key generated by said secondend point, the method comprising, in the event that a signalling planekey has not already been established, then deriving from said sessionkey an alternative media plane key, and sending that alternative mediaplane key to said second media plane network node for securing the mediaplane between said second end user and said second media plane networknode. Alternatively, said session set-up signalling intercepted at saidsecond signalling plane network node may include said session keygenerated by said first end point, the method comprising, in the eventthat a signalling plane key has not already been established, thenderiving from said session key an alternative media plane key, andsending that alternative media plane key to said second media planenetwork node for securing the media plane between said second end userand said second media plane network node.

According to a second aspect of the invention there is provided a userterminal for conducting a media session with a peer user terminal. Theapparatus a session key generator for generating a session key, and asession initiator for sending session set-up signalling towards saidpeer user terminal, via a first signalling plane network node, thesession initiator including in said signalling, said session key. Thereis also provided a media key generator for determining whether or not asignalling plane key has already been established for securing thesignalling plane between the user terminal and said first signallingplane network node, and, if a signalling plane key has already beenestablished, for then deriving from that signalling plane key a firstmedia plane key, and, if a signalling plane key has not already beenestablished, for then deriving from said session key a second mediaplane key. A session manager is further provided for using the first orsecond media plane key to secure the media plane between the userterminal and said first media plane network node. Said session initiatormay comprise an IP Multimedia Subsystem client.

Said media key generator may determine whether or not a signalling planekey has already been established by determining whether or not an IPMultimedia Subsystem AKA procedure has been run between the userterminal and an IP Multimedia Subsystem network.

Said session key generator and said session initiator may be configuredaccording to implement the Session Description Protocol SecurityDescriptions for Media Streams protocol.

According to a third aspect of the invention there is provided asignalling plane network node comprising a receiver for interceptingsession set-up signalling sent from a first end point towards a secondend point, and an analyzer for determining whether or not a signallingplane key has already been established for securing the signalling planebetween said first end point and the signalling plane network node.There is further provided a media plane key generator and distributorconfigured, in the event that a signalling plane key has already beenestablished, to derive from that key a media plane key, and, in theevent that a signalling plane key has not already been established, toderive from a session key included in said set-up signalling, analternative media plane key. The media plane key generator anddistributor is further configured to send the media plane key oralternative media plane key to said first media plane network node forsecuring the media plane between said first end point and said firstmedia plane network node.

The node may be an IP Multimedia Subsystem network server, for example aProxy Call State Control Function.

According to a fourth aspect of the invention there is provided acomputer program for causing a user terminal to perform the followingsteps:

-   1. generating a session key;-   2. sending session set-up signalling towards a peer user terminal,    via a first signalling plane network node, and including in said    signalling, said session key;-   3. determining whether or not a signalling plane key has already    been established for securing the signalling plane between the user    terminal and said first signalling plane network node, and, if a    signalling plane key has already been established, for then deriving    from that signalling plane key a first media plane key, and, if a    signalling plane key has not already been established, for then    deriving from said session key a second media plane key; and-   4. using the first or second media plane key to secure the media    plane between the user terminal and said first media plane network    node.

According to a fifth aspect of the invention there is provided computerprogram product including a computer useable medium having storedthereon a computer program according to the above fourth aspect of theinvention.

According to a sixth aspect of the invention there is provided computerprogram for causing a network node to perform the following steps:

-   1. intercepting session set-up signalling sent from a first end    point towards a second end point;-   2. determining whether or not a signalling plane key has already    been established for securing the signalling plane between said    first end point and the signalling plane network node;-   3. in the event that a signalling plane key has already been    established, to derive from that key a media plane key, and, in the    event that a signalling plane key has not already been established,    to derive from a session key included in said set-up signalling, an    alternative media plane key; and-   4. sending the media plane key or alternative media plane key to    said first media plane network node for securing the media plane    between said first end point and said first media plane network    node.

According to a seventh aspect of the invention there is providedcomputer program product including a computer useable medium havingstored thereon a computer program according to the above sixth aspect ofthe invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates various approaches to securing the media planebetween two user terminals engaged in an IMS enabled session;

FIG. 2 illustrates signalling associated with an e2ae approach tosecuring the media plane;

FIG. 3 is a flow diagram further illustrating the approach of FIG. 2;

FIG. 4 illustrates schematically a user terminal and a P-CSCF nodeconfigured to employ the approach of FIGS. 2 and 3; and

FIG. 5 illustrates signalling associated with an alternative e2aeapproach to securing the media plane.

DETAILED DESCRIPTION

Where a user terminal or user equipment (UE) attaches to an IPMultimedia Subsystem (IMS) network via a UMTS (or LTE) access network,the IMS AKA mechanism will most likely be used to authenticate thesubscriber and to secure traffic in the signalling plane. AKA results inthe creation and sharing of a pair of keys (Ck, Ik) between the UE and aP-CSCF. These keys can also be used as a basis for protecting user datain the media plane, e.g. by deriving a key K_media=hash(Ck, Ik, . . . )and providing this key from the P-CSCF to an edge entity. This edgeentity may be a Media Resource Function (MRF), or a gateway such as aSGSN, SAE or PDN gateway. Of course, when a user terminal accesses theIMS via some other access technology, the AKA related keys are notpresent and an alternative security mechanism is required. On the otherhand, a Session Description Protocol Security Descriptions for MediaStreams

(SDES) based approach has the advantage that it is independent of theuser authentication mechanisms that are being used (if any). A terminalusing the SDES protocol will always include an SDES-encoded key, KA, ina SIP call set-up message.

It is proposed here to detect within the IMS, e.g. at the P-CSCF,whether or not a user terminal has previously been authenticated usingIMS AKA. If so, then the media plane is secured based upon the sharedAKA keys. If not, the IMS falls back to an SDES-based e2ae approach.Considering this mechanism from the point of view of a P-CSCF, thefollowing high level steps can be defined:

-   1. Receive a SIP call set-up message from a UE (in this case UE A).-   2. “Snoop”, i.e. capture and inspect, the SIP message to identify    the SDES key, KA.-   3. Check if the UE A has previously authenticated using AKA (during    IMS registration), thereby creating keys (Ck, Ik).-   4. If so, derive media key K_media=hash(Ck, Ik, . . . ) else derive    media key

K_media=hash(KA, . . . ). [Alternatively, the P-CSCF may include the keyKA in the key derivation step, e.g. K_media=hash(KA, Ck, Ik, . . . ).]

-   5. Distribute K_media to the edge entity.

It will be understood that the UE must be aware of if (and how) it haspreviously been authenticated towards the IMS. The UE will perform theequivalent processing so as to derive the same key K_media.

FIG. 2 illustrates the proposed procedure in more detail, taking as anexample a scenario in which a user A has been authenticated using IMSAKA, but a peer user, user B, has not. Certain SIP messages which arenot directly relevant to the proposed mechanism are not shown for thesake of simplicity. The procedure involves the following steps:

-   1. UE A, wishing to initiate an IMS call to user B, chooses a random    SDES key, KA.-   2. UE A sends the SIP INVITE which includes (among other things) the    identity of user B and the key KA.-   3. The P-CSCF of A snoops the message and extracts the key KA. The    P-CSCF also checks if A has been previously authenticated using IMS    AKA. In this example, this is the case. The INVITE is forwarded    towards B's network. The P-CSCF of user A may or may not remove KA    before forwarding the INVITE towards UE B.-   4. UE B receives the INVITE via user B's P-CSCF (if included, the    P-CSCF may or may not remove KA from the INVITE).-   5. UE B generates an SDES key, KB, and includes it when accepting    the INVITE, sending a SIP OK including KB to its P-CSCF.-   6. The P-CSCF of user B snoops the key KB and checks if B has been    previously authenticated using IMS AKA. In this example, this is not    the case. The P-CSCF of B therefore creates a media key K′ in    dependence on the key KB (only). The SIP OK response is also    forwarded back towards user A's network, with or without KB.-   7. The P-CSCF of user B prepares for a secure media session by    sending K′ to EB.-   8. The SIP response accepting the call is received by user A's    P-CSCF, which now derives the media protection key K from KA, CkA    and IkA.-   9. The SIP response is forwarded back to UE A (with or without KB if    included in the response forwarded by user B's P-CSCF) and the key K    is sent to EA.-   10. UE A receives the call acceptance and derives the same key K.-   11. A secure media session is established between UE A and UE B, via    EA and EB, using e.g. the Secure Real-time Transport Protocol    (SRTP), RFC3711.

It will be clear that, in the above embodiment, the setup signallingbetween a UE and its associated P-CSCF will always “look” the same,regardless of whether or not any IMS AKA process has been run, and onlythe local processing in UE/P-CSCF differs.

In the exemplary embodiment above, it is assumed that both P-CSCFsimplements the security process as they both perform an authenticationcheck of their respective users. Of course, this is not necessary. Forexample, the P-CSCF of B could be a legacy P-CSCF unable to perform theauthentication check of step 6. In this case, P-CSCF B may create themedia key in dependence on KB. This further demonstrates the attractiveproperty of e2ae security, namely that each end of the connection mayuse different approaches to media security without interoperabilityproblems.

FIG. 3 is a flow chart illustrating the main process steps carried outon the calling party's side. The process beings at step 100, whereuponuser A initiates an IMS session with user B. This session may be, forexample, a Push-to-talk over Cellular (PoC) session or a multimediacall. At step 102, user A's terminal, UE A, generates an SDES sessionkey KA, and includes this in an INVITE that is sent towards user B. Atstep 103, the P-CSCF of user A (P-CSCF A) intercepts the INVITE. P-CSCFA then determines at step 104 whether or not IMS AKA has been run withuser A (that is since user A's last registration with the IMS network).If the answer is yes, and AKA keys CkA and IkA exist, these keys areidentified by the P-CSCF A at step 105 and are used at step 106,together with the session key KA, to generate a new media key K. If itis determined at step 104 that no IMS AKA has been run, then a new mediakey is generated at step 107 using the session key KA. At step 108 thenew media key is sent by the P-CSCF to the responsible media handler.The P-CSCF then sends the INVITE on towards its destination at step 109,and the session setup continues, step 110. It will be appreciated thatthe order in which the steps are carried out may differ somewhat fromthe illustrated order.

FIG. 4 illustrates schematically components of a UE (in this case UE A)and a P-CSCF (in this case P-CSCF A). The UE 1 comprises a key (KA)generator 2 implementing the key generation function for the SDESprotocol. This key (a random or pseudo-random number) is provided to aSIP user agent (UA) 3 which controls IMS session establishment. The UEalso comprises a media key (K) generator 4 which is able to generate amedia key depending upon whether the UE has previously beenauthenticated to the IMS network using IMS AKA and involving asignalling plane authentication unit 10, in this case an AKA unit. Thekey is passed to a session manager 5 for use in securing the mediaplane. The UE may also comprise a digital memory or carrier 11 storing acontrol program 12. This control program interacts with the hardware toperform the required functions. Of course, any appropriate combinationof hardware and software may be employed to implement the securityprocesses within the UE.

The P-CSCF 6 comprises a receiver 7 for intercepting the SIP INVITE sentout by the UE 1. The receiver passes the INVITE to an analyzer 8 whichidentifies User A and determines whether or not IMS AKA has been run forthe user. Depending upon the result, a key generator and distributor 9first generates the media key K, and then passes this to an appropriatemedia handler (not shown). The UE may also comprise a digital memory orcarrier 14 storing a control program 15. This control program interactswith the hardware to perform the required functions. Of course, anyappropriate combination of hardware and software may be employed toimplement the security processes within the P-CSCF.

It is of course possible that a terminal/network will support IMS AKAbut not SDES. In this case, the P-CSCF and the UE would derive a key(from Ck, Ik only) and push it to the edge node.

It will be appreciated that if, for example, UE B and/or user B'snetwork does not support SDES or IMS AKA, security will be provided butonly between A and EA.

IMS AKA is only one example of a secure authentication and keygeneration scheme that may be detected and re-used. The only requirementon the mechanism used is that it produces a key (corresponding to (Ck,Ik)) shared between an end-user and the P-CSCF. Alternatives to IMS AKAinclude, for example, a Public Key Infrastructure (PKI) mechanism (e.g.TLS, RFC5246) or a password authenticated Diffie-Hellman mechanism (e.g.SPEKE, ISO/IEC 11770-4).

Alternatives to SDES as the fallback security mechanism may also beconsidered. For example, tickets according to a Keberos-like approach(RFC4120) may be employed, but instead of encrypting the tickets theseare sent unprotected. Use of tickets is, as such, also discussed as anoption in the aforementioned TR 33.828.

In the approach described with reference to FIG. 2, the SDES key iscreated by UE B and returned to user B's P-CSCF in step 5. Analternative is that the key on the terminating side is communicated inthe other direction. That is, the SDES key on the UE B side is chosen byuser B's P-CSCF and included when the SIP INVITE is sent to UE B in step4. Security on the terminating leg is therefore initiated on the networkside, rather than on the terminal side. If the P-CSCF of user A retainedthe SDES key KA when forwarding the INVITE to user B's network in step3, the P-CSCF of user B may simply forward the same key to UE B.However, this would result in KA=KB which may not always be desirablefrom a security point of view.

Typically, the entities EA/EB may not lie in the SIP signalling path. Asignalling flow applicable to this network architecture is shown in FIG.5. The protocol employed between the P-CSCFs and EA/EB may be SIP, H.248or some other suitable protocol.

As will be understood from the above discussion, a UE and the associatedP-CSCF should know implicitly whether or not the keys KA and KB havebeen previously established during the IMS AKA authentication.Nonetheless, the risk of incorrect key derivation may be reduced byadding an information element to the SIP signalling, explicitly statingwhether (or not) IMS AKA has been used. For example, the UE A couldinclude in the SIP INVITE a “reference” to the authentication, e.g. byincluding the RAND value used for IMS AKA (which would be similar to theuse of the B-TID in the Generic Bootstrapping Architecture (GBA)).Absence of this indication may then also be used by the P-CSCF toconclude that the UE lacks a (valid) key and this may for instancetrigger a new IMS AKA procedure before the call is set up. Similarly, asanother option, the P-CSCF may in a reply (e.g. in conjunction with theSIP TRYING or 200 OK messages) include a hint, confirming to the UE thatthe P-CSCF was able to find the correct shared key, thereby increasingthe robustness of the approach.

It will be appreciated by the person of skill in the art that variousmodifications may be made to the above described embodiments withoutdeparting from the scope of the present invention. For example, whilstthe embodiments described above have been concerned with a 3GPP IMSsetting, the invention is also applicable in non-3GPP settings. It isonly required that a media session set-up signalling protocol (e.g. SIP)is used between the end-users and some signalling server with which theusers may establish shared keys, e.g. as result of userauthentication/registration. Furthermore, any suitable data securitymechanism may be used to secure data in the media plane using thederived media keys. For services based on TCP/UDP, PSK-TLS/TLS may beemployed, see IETF RFCs 5246 and 4347. Alternatively, media may beprotected on the IP layer, using for example IPSec.

According to another modification to the embodiments described above, itis possible to perform the network key generation step at a signallingplane node other then the P-CSCF. For example, a suitable alternativemight be an S-CSCF.

1-24. (canceled)
 25. A method of establishing keys for at leastpartially securing media plane data exchanged between first and secondend points via respective first and second media plane network nodes,the method comprising: sending session set-up signalling from said firstend point towards said second end point, said session set-up signallingincluding a session key generated by said first end point; interceptingsaid set-up signalling at a first signalling plane network node anddetermining whether a signalling plane key has already been establishedfor securing the signalling plane between said first end point and saidfirst signalling plane network node; if the signalling plane key hasalready been established, then deriving from the signalling plane key amedia plane key, and sending the media plane key to said first mediaplane network node for securing the media plane between said first endpoint and said first media plane network node; and if the signallingplane key has not already been established, then deriving from saidsession key an alternative media plane key, and sending the alternativemedia plane key to said first media plane network node for securing themedia plane between said first end point and said first media planenetwork node.
 26. The method according to claim 25, wherein said set-upsignalling comprises a Session Initiation Protocol (SIP) INVITE message.27. The method according to claim 25, wherein said first signallingplane network node comprises a node within an Internet Protocol (IP)Multimedia Subsystem network.
 28. The method according to claim 27,wherein said signalling plane network node comprises a Proxy Call StateControl Function.
 29. The method according to claim 27, whereindetermining whether the signalling plane key has already beenestablished for securing the signalling plane between said first endpoint and said first signalling plane network node comprises determiningwhether an IP Multimedia Subsystem network AKA procedure has been runbetween said first end point and the IP Multimedia Subsystem network.30. The method according to claim 25, wherein said session set-upsignalling comprises an explicit indication of whether the signallingplane key has already been established.
 31. The method according toclaim 25, wherein, if the signalling plane key has already beenestablished, deriving the media key further comprises deriving the mediakey using both said signalling plane key and said session key.
 32. Themethod according to claim 25, wherein said session key is generated andtransferred by said first end point in accordance with the SessionDescription Protocol Security Descriptions for Media Streams protocol.33. The method according to claim 25 further comprising: interceptingsession set-up signalling at a second signalling plane network node anddetermining whether a second signalling plane key has already beenestablished for securing the signalling plane between said second endpoint and said second signalling plane network node; and if the secondsignalling plane key has already been established, then deriving fromthe second signalling plane key a second media plane key, and sendingthe second media plane key to said second media plane network node forsecuring the media plane between said second end point and said secondmedia plane network node.
 34. The method according to claim 33, whereinsaid second signalling plane network node comprises a node within anInternet Protocol (IP) Multimedia Subsystem network.
 35. The methodaccording to claim 34, wherein determining whether the second signallingplane key has already been established for securing the signalling planebetween said second end point and said second signalling plane networknode comprises determining whether an IP Multimedia Subsystem networkAKA procedure has been run between said second end point and the IPMultimedia Subsystem network.
 36. The method according to claim 35,wherein said session set-up signalling intercepted at said secondsignalling plane network node includes a second session key generated bysaid second end point, the method further comprising, in the event thatthe second signalling plane key has not already been established,deriving from said second session key a second alternative media planekey, and sending the second alternative media plane key to said secondmedia plane network node for securing the media plane between saidsecond end point and said second media plane network node.
 37. Themethod according to claim 35, wherein said session set-up signallingintercepted at said second signalling plane network node includes saidsession key generated by said first end point, the method furthercomprising, in the event that the second signalling plane key has notalready been established, deriving from said second session key a secondalternative media plane key, and sending the second alternative mediaplane key to said second media plane network node for securing the mediaplane between said second end point and said second media plane networknode.
 38. A user terminal for conducting a media session with a peerterminal, said user terminal comprising: a session key generatorconfigured to generate a session key; a session initiator configured tosend session set-up signalling towards said peer user terminal, via afirst signalling plane network node, the session initiator includingsaid session key in said signalling; a media key generator configured todetermine whether a signalling plane key has already been establishedfor securing the signalling plane between the user terminal and saidfirst signalling plane network node, and, if the signalling plane keyhas already been established, for then deriving from said signallingplane key a first media plane key, and, if the signalling plane key hasnot already been established, for then deriving from said session key asecond media plane key; and a session manager configured to use thefirst or second media plane key to secure the media plane between theuser terminal and said first media plane network node.
 39. The userterminal according to claim 38, wherein said session initiator-comprisesan Internet Protocol (IP) Multimedia. Subsystem client.
 40. The userterminal according to claim 39, wherein said media key generatordetermines whether the signalling plane key has already been establishedby determining whether an IP Multimedia Subsystem AKA procedure has beenrun between the user terminal and an IP Multimedia Subsystem network.41. The user terminal according to claim 38, wherein said session keygenerator and said session initiator are configured according to theSession Description Protocol Security Descriptions for Media Streamsprotocol.
 42. A signalling plane network node comprising: a receiverconfigured to intercept session set-up signalling including a sessionkey, said set-up signalling sent from a first end point towards a secondend point; an analyzer configured to determine whether a signallingplane key has already been established for securing the signalling planebetween said first end point and the signalling plane network node; anda media plane key generator and distributor configured, in the eventthat the signalling plane key has already been established, to derivefrom the signalling plane key a media plane key, and, in the event thatthe signalling plane key has not already been established, to derivefrom the session key an alternative media plane key, and to send themedia plane key or the alternative media plane key to said first mediaplane network node for securing the media plane between said first endpoint and said first media plane network node.
 43. The signalling planenetwork node according to claim 42, wherein the signalling plane networknode comprises an Internet Protocol (IP) Multimedia Subsystem networkserver.
 44. The signalling plane network node according to claim 43,wherein the signalling plane network node comprises a Proxy Call StateControl Function.
 45. A computer program stored on a computer readablemedium and comprising computer program instructions for execution by auser terminal and configured to cause the user terminal to: generate asession key; send session set-up signalling towards a peer terminal, viaa first signalling plane network node, and including in said set-upsignalling said session key; determine whether a signalling plane keyhas already been established for securing the signalling plane betweenthe user terminal and said first signalling plane network node, and, ifthe signalling plane key has already been established, for then derivingfrom the signalling plane key a first media plane key, and, if thesignalling plane key has not already been established, for then derivingfrom said session key a second media plane key; and use the first orsecond media plane key to secure the media plane between the userterminal and said first media plane network node.
 46. A computer programstored on a computer readable medium and comprising computer programinstructions for execution by a network node configured to cause thenetwork node to: intercept session set-up signalling sent from a firstend point towards a second end point, said set-up signalling including asession key; determine whether a signalling plane key has already beenestablished for securing the signalling plane between said first endpoint and the signalling plane network node; in the event that thesignalling plane key has already been established, to derive from thatkey a media plane key, and, in the event that the signalling plane keyhas not already been established, to derive from the session key analternative media plane key; and sending the media plane key or thealternative media plane key to said first media plane network node forsecuring the media plane between said first end point and said firstmedia plane network node.